Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
In our organization we use Static IP addressing scheme(Some departments have DHCP which is not related to this thread). We use Squid as proxy.
We assign each machine its IP address and make entry in our TinyDNS database, and provide those details to users, which they manually enter in their config and then access the network. We assign different range of IPs to different departments. This we consider as the "proper way" for our organization.
But we have found that lot many users are simply guessing some IPs and using them without having any entry in our DNS record. Though this works for some, most of the time we end up having IP conflicts and disorganization in our organizational allocation policy.
So, my question is, How do I block the specific IPs whose entry is not explicitly defined in our DNS record. In other word if the IP 192.168.20.15(lets say he is jack.ourorganization.com) is defined in our DNS, we should allow access... where as if IP 192.168.20.16(this does not translate to any user as it is not defined in our DNS) is not defined in our DNS we should not allow it access to our network.
I hope my friends here will be able to guide me. Thanks in advance.
What you really need to be doing is monitoring this on your subnets. If not at the managed switch level, look into the arpwatch program. It is extremely handy for this purpose.
By default, OpenSSH enables a feature (the sshd_config directive is UseDNS) that will warn you when a forward and reverse DNS lookup does not match for a client. If you've not created a DNS rec for a particular IP, this should fire off a warning to your logs, and you can deal with it at that time.
Additionally, tcp wrappers (controlled using /etc/hosts.allow) provides a PARANOID wildcard that can allow you to act on sshd clients whose DNS/rDNS recs don't match up.
Still, if someone grabs an IP address that is registered with your DNS, this doesn't help you. Again, the answer is to start monitoring your subnets and more forcefully addressing the root cause of the problem.
I don't know if you will, if they are on the one network. If anyone is half determined, he can surely get around what you can do. dns resolves do dotted decimal, that's why blocking dotted decimal is a tricky approach. You could lose them for a while going to ipv6 in octal :-D. Can you split the thing up into departments, subnets, or levels and control access that way?
Block all local IPs in Squid and selectively allow only the registered IPs. Already compiled a database{Phew}.
** We have UPSes, Biometric access devices, IP Cam, Instruments, Fire alarm(?) etc which may not be registered in our DNS. So need to be careful before blocking them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Blocking users who are not defined in DNS record
